18 matches found
CVE-2019-14976
CVE-2019-14976 affects iCMS 7.0.15, exposing a cross-site scripting (XSS) vulnerability in the admin panel. The issue arises via the keywords parameter in admincp.php?app=apps, enabling potentially injection of malicious client-side script. Multiple connected sources (NVD/NIST entries and Red Hat...
CVE-2023-42322
The CVE-2023-42322 entry concerns an Insecure Permissions vulnerability in icmsdev iCMS v7.0.16 that enables a remote attacker to obtain sensitive information. The root cause is insecure permissions governing access to data, leading to information disclosure with high impact (Confidentiality/Inte...
CVE-2018-9924
CVE-2018-9924 affects idreamsoft iCMS up to version 7.0.7. The vulnerability is a SQL injection via the pid array parameter in admincp.php?app=tag&do=save&frame=iPHP. Exploitation details are not provided beyond the description; the CVSS metrics in the entry indicate high/critical impact (CRITICA...
CVE-2018-9925
The CVE-2018-9925 issue affects idreamsoft iCMS up to version 7.0.7. An XSS vulnerability exists in the nickname field processed by the admincp.php?app=user&do=save&frame=iPHP request. The connected sources corroborate a cross-site scripting vulnerability in iCMS 7.0.7 and earlier, enabling injec...
CVE-2018-14415
CVE-2018-14415 affects idreamsoft iCMS prior to 7.0.10. A cross-site scripting (XSS) vulnerability exists leveraging the fourth and fifth input elements on the page admincp.php?app=prop&do=add. The issue is confirmed by the primary description and corroborated by CNVD/NVD references; CVSS metrics...
CVE-2018-14858
The CVE-2018-14858 entry affects idreamsoft iCMS prior to 7.0.11. The vulnerability is an SSRF in the remote function at app/spider/spider_tools.class.php, which does not block DNS hostnames mapped to private/reserved IPs (e.g., 10.0.0.0/8). Root cause is an incomplete fix from CVE-2018-14514. Im...
CVE-2018-15895
CVE-2018-15895 affects idreamsoft iCMS 7.0.11. The vulnerability is an SSRF in the remote function at app/spider/spider_tools.class.php that does not block DNS hostnames tied to private/reserved IPs (e.g., 127.0.0.1), allowing requests to internal addresses. Root cause notes link to an incomplete...
CVE-2018-10117
The connected records confirm CVE-2018-10117 affects idreamsoft iCMS v7.0.7. The vulnerability is a CSRF flaw that enables an attacker to add an administrative account via the request: admincp.php?app=members&do=save&frame=iPHP. Root cause: CSRF in the admin account creation flow. Impact: potenti...
CVE-2018-18702
The CVE applies to iCMS v7.0.11, where spider.admincp.php is vulnerable to SQL injection via admincp.php?app=spider&do=import_rule. The vulnerability arises because upfile content is base64 decoded, deserialized, and used to form a database insertion, allowing for injected SQL. CVSS shows high se...
CVE-2023-42321
CVE-2023-42321 describes a CSRF vulnerability in icmsdev iCMS v7.0.16 that could allow a remote attacker to execute arbitrary code via the files user.admincp.php , members.admincp.php , and group.admincp.php . The available connected documents consistently identify the vulnerable component and im...
CVE-2018-14514
The CVE-2018-14514 issue affects idreamsoft iCMS, specifically V7.0.9, with a server-side request forgery (SSRF) flaw that can let an attacker read sensitive files or access an intranet. Related entries (CVE-2018-14858) confirm the underlying cause: the remote function in app/spider/spider_tools....
CVE-2018-12498
CVE-2018-12498 affects iCMS v7.0.8. The flaw is a SQL injection in spider.admincp.php triggered by the id parameter in an app=spider&do=batch request to admincp.php, enabling arbitrary SQL execution through that parameter. The root cause is improper handling/validation of user-supplied input in t...
CVE-2018-10222
CVE-2018-10222 concerns idreamsoft iCMS V7.0. A CSRF vulnerability exists that can cause adding a Column via the request path /admincp.php?app=article_category&do=save&frame=iPHP. The connected CNVD and CNVD-derived records describe this same CSRF issue in iCMS 7.0, with no public details on affe...
CVE-2018-10250
iCMS v7.0.8 contains a Cross-Site Scripting (XSS) vulnerability in the weixin_category action, exploited via the admincp.php keywords parameter. The issue arises from insufficient sanitization of the keywords input, enabling injection of arbitrary script/HTML when interacting with the WeChat Clas...
CVE-2018-9922
CVE-2018-9922 affects idreamsoft iCMS up to version 7.0.7. The issue is a physical path leakage caused by an invalid nickname field that reveals the core/library/weixin.class.php pathname. Exploitation details are not provided in the connected documents. No remediation steps or patched versions a...
CVE-2018-9923
CVE-2018-9923 affects idreamsoft iCMS up to version 7.0.7. The vulnerability is a CSRF in admincp.php that allows an attacker to add an article by sending a crafted request such as app=article&do=save&frame=iPHP. This is described in multiple sources (NVD/NVD mirror and CVE records) and is action...
CVE-2019-6259
CVE-2019-6259 affects idreamsoft iCMS v7.0.13. The issue is a SQL injection via the app/article/article.admincp.php _data_id parameter, indicating improper input handling in that parameter is the root cause. The vulnerability can compromise data confidentiality, integrity, and availability as des...
CVE-2018-16314
The CVE-2018-16314 issue affects idreamsoft iCMS 7.0.11, specifically the admincp.php CSRF verification. If CSRF_TOKEN is absent, the system validates only the Referer header, which can be bypassed via a substring in admincp.php within that header. This describes a CSRF protection bypass vulnerab...